Retail Privacy and Data

The information on this page is meant to be solution-focused and helpful for Canadian retailers navigating privacy and data governance during and beyond COVID-19. If you have any questions or suggestions, please contact Kate Skipton at [email protected].

COVID-19 implications on privacy for retailers

COVID-19 has raised many privacy issues for retailers. These include what information can be collected from customers and employees; for example, during temperature checks, as retailers try to keep stores and staff safe. The pandemic has also raised information-sharing issues, such as what information can be shared for contact tracing reasons with health authorities, and it has increased cyber risk.

Read COVID-19 implications on privacy for retailers

Recent privacy updates

Privacy and data for Canadian retailers

Almost daily, we see and hear headlines about data privacy concerns, data breaches and overall misuse of data (e.g.: Cambridge Analytica, Desjardins).  Increasingly, the retail landscape requires retailers to make use of data to create great customer experiences, while also protecting individuals’ personal information.

Privacy regulations generally apply when a retailer handles information that can identify an individual person. An email address, clothing size, physical location, name, credit card number, IP address, web cookies and video camera footage – these are only some examples of personal data that retailers handle. Common collection situations range from sales staff conversations with customers, payment processing, customer and employee information storage, omnichannel customer engagement across web and mobile and store security video footage. This data often flows across physical and digital landscapes and often across many national and international legal jurisdictions.

Who regulates privacy in Canada?

Federal: The federal Office of the Privacy Commissioner of Canada (OPC) is the main regulator for retailers handling personal information in Canada. The OPC administers Canada’s private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).

PIPEDA applies whenever personal information crosses provincial and territorial borders during commercial activities. PIPEDA also applies generally to personal data handled by retailers in all regions except BC, Quebec and Alberta, which have their own private sector privacy legislation.

PIPEDA applies if information crosses provincial/national borders during commercial activities. PIPEDA generally applies to personal data handled by retailers inside provincial or territorial borders.
Alberta Yes No
British Columbia No
Manitoba Yes
New Brunswick Yes
Newfoundland Yes
Nova Scotia Yes
Ontario Yes
Prince Edward Island Yes
Quebec No
Saskatchewan Yes
Nunavut Yes
Northwest Territories Yes
Yukon Yes

The federal Commissioner of Competition has also entered the data privacy arena: they recently issued Facebook a $9M penalty for deceptive marketing based on misleading privacy policy claims. The Competition Bureau also shares jurisdiction for Canada’s Anti-Spam Law (CASL) with the Canadian Radio-Television and Telecommunications Commissioner (CRTC) and federal Privacy Commissioner (OPC).

Regional:  Every Canadian province and territory has a regulator, in the form of a Commissioner or Ombudsperson, who oversees that region’s privacy legislation.   

Regulators in Quebec, BC and Alberta comprehensively oversee privacy for retailers in those provinces. Four other provinces have regulators that govern personal health information held by retailers: Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador. View regional regulator list. Generally, privacy regulator involvement is triggered by a complaint from an individual, such as from a customer who shares personal information with a retailer and then feels that the retailer has not taken very good care of it. View more information.   

What’s happening in Canadian data privacy reform?

Privacy and data regulatory frameworks are currently undergoing significant reforms in Canada and internationally. The need for Canada to maintain “adequacy status” under Europe’s rigorous General Data Protection Regulation (GDPR) is part of what is driving federal and regional reforms. Retailers, especially those whose businesses involve personal data flowing across regional and international borders, will be looking at a more complex mosaic of stricter data privacy laws over the next few years in Canada and elsewhere.

What potential new privacy rules should retailers expect?

Retailers are familiar with long-held privacy practices like having a privacy policy, asking for customer consent and keeping customer and employee information safe.

The ongoing (approx. 2019 – 2022) Canadian data privacy reforms involve a range of potentially stricter requirements intended to protect individuals’ personal information in the modern, data-driven world. Reform conversations are occurring federally, in Ontario, Quebec and British Colombia. Some new rules commonly proposed across these reforms include:

  • Empowering individuals to have more control over their data. e.g.:
    • Rigorous consent and transparency requirements,
    • Right to have a company delete their data,
    • De-indexing/the right to be forgotten (letting a person remove their information from search engine queries or databases),
    • Data portability/data mobility (letting a person move all their data from one company to another)
  • Empowering individuals and regulators to hold companies more accountable, e.g.: mandatory breach notification, expanded audit powers, more administrative monetary penalties and fines, private rights of action for individuals.
  • Anonymizing (also called “de-identifying”) datasets to help protect the identities of those whose information is contained in the data, as well as addressing the risks of re-identification.
  • Requiring consideration, to varying degrees, of legal privacy protections in countries where companies send data for storage or analysis.
  • Specific process requirements, like appointing a privacy officer and mandating privacy impact assessments (PIAs).

Retailers may wish to look more closely at the regional and international markets in which they operate. They may wish to assess how their current approach to personal data protection fits with any potential new data privacy requirements in those markets.  

Federal

In May 2019, the Canadian federal government released the Digital Charter, a policy platform addressing many areas of digital life. This included reforms to PIPEDA that were proposed in a white paper from the Ministry of Innovation, Science and Economic Development (ISED). These proposed reforms included stronger powers for the federal privacy Commissioner, more financial consequences for non-compliance and revised consent and transparency requirements. They also included data mobility, a stronger focus on codes and technical standards, an exploration of defined data retention periods and stronger incentives for data safeguards (e.g. cybersecurity).

Under the Digital Charter, the Competition Bureau is also addressing some data privacy issues arising from marketplace challenges raised by technological advancement and digitization. In fall 2019, the federal government announced the creation of a third, entirely new federal regulator, a Data Commissioner. PIPEDA amendments based on these reform discussions were delayed politically due to COVID-19. There is a strong possibility that they may not take place until 2021.

The necessity of responding to COVID-19 has, understandably, diminished some of the momentum that was driving Canadian privacy reforms.

Read more:

Regional reforms

Quebec

In June 2020, Quebec released Bill 64, An Act to modernize legislative provisions as regards the protection of personal information.

Strongly inspired by Europe’s General Data Protection Regulation (GDPR), Bill 64 contains many significant new requirements. Retailers may not be able to transfer data outside the province of Quebec unless it goes to a jurisdiction where the legal framework provides protections equivalent to Quebec’s. This differs from the previous regime and from the current approach under PIPEDA. 

Bill 64 also strengthens Quebec’s privacy enforcement regime considerably, including by adding mandatory breach notification and fines up to $25M or 4% of global turnover.

Read more:

British Columbia

B.C.is in the initial stages of a review of its Personal Information Protection Act (PIPA).

In June 2020, the B.C. Office of the Information and Privacy Commissioner (OIPC) asked the Special Committee to consider providing it with the following enforcement powers: mandatory breach notification, the power to issue administrative monetary penalties and the power to initiate investigations and make orders, even without a complaint.

The Special Committee’s report is not due to the B.C. legislature until February 2021.

Ontario

Ontario significantly strengthened its health privacy law, the Personal Health Information Protection Act, 2004 (PHIPA), earlier in 2020. View PHIPA information.

In August 2020, consultations began on a new privacy law for the private sector. Key areas the government is exploring include stronger enforcement powers for the Ontario regulator; giving individuals more control over their data with rights to deletion, de-indexing and data portability; de-identification requirements and rigorous consent and transparency requirements. View discussion paper.

If a new Ontario private sector privacy law is created and deemed substantially equivalent to PIPEDA, that would mean that retailers dealing with Ontario residents’ personal information may soon be governed under a new statute

For questions about these reforms, retailers can email [email protected]

Privacy resources for retailers

Retail Data and Privacy Bulletins (RCC members only)

The Retail Data and Privacy Bulletin is a monthly email newsletter itemizing data governance policy, legal and other developments specifically for Canadian retailers. Launched in late 2019, the bulletin was catalyzed by the need to update RCC members on retail-specific data privacy policy reform and retail data protection best practices.

For more information and to subscribe to the next Bulletin, members can contact [email protected]. (Not yet a member? Contact us to find out more.)

RCC Guidebook: Canadian Anti-Spam Law (CASL): Guidelines for Responsible Transmission of Electronic Messages (RCC members only)

CASL has been in force for several years and applies to email marketing and communications. This members-only Guidebook helps explain CASL for retailers (CASL may also see some changes as part of any forthcoming federal privacy reforms).  

View CASL Guidebook.

RCC Guidebook: How does the GDPR affect Canadian retailers? (RCC members only)

Europe’s General Data Protection Regulation (GDPR) is a privacy regulation that was launched in 2018. If your business has customers or even website visitors from Europe, then you may fall under the GDPR’s scope. The GDPR’s large fines (up to 20M Euro or 4% of a firm’s worldwide annual turnover, whichever is highest), global reach and influence on Canadian federal and provincial privacy reform make it relevant to Canadian retailers. RCC’s GDPR guidebook covers GDPR for Canadian retailers.

View GDPR guidebook

Guiding Principles on Privacy for Retailers in Canada (RCC members only)

Protecting your business and your customers’ personal information against the threats of cyber-breaches and criminal activities is paramount in today’s retail environment. The purpose of this paper is to clarify the guiding principles of the Personal Information and Protection of Electronic Documents Act (PIPEDA) (pre-reform) and the practical applications associated with those principles pertaining to loss prevention and fraud specifically.

Download white paper

Privacy Committee (RCC members only)

The Privacy Committee is comprised of retail professionals interested in and responsible for the areas of data governance and privacy. The purpose of the committee is to share best practices and information related to data governance and privacy and to help members stay ahead of the curve on issues that impact the industry.

Inquire about joining and view more RCC committees

Federal requirements on data breach record-keeping and reporting

lock on a keyboard

As of November 1, 2018, retailers must notify the federal Office of the Privacy Commissioner (OPC) if they experience a data breach that creates a “real risk of significant harm” (RROSH) to the individuals whose personal information is affected. Retailers must also record how they assess whether or not a data breach is serious enough to meet the RROSH standard and require notification.

Find out more

How American retailers use consumer data

Nearly two thirds of U.S. consumers say retailers, not the government or tech vendors, are responsible for data privacy, according to a 2019 Deloitte report. Most U.S. consumers think that retailers use their personal data for target marketing. In fact, the top three consumer data uses by U.S. retailers are to:

  • Increase operational efficiencies
  • Improve product selection
  • Enhance in-store services or experiences.

Consumer journey steps in a data-driven, American retail store may now include mobile phone location data gathering, with AI assistants generating product recommendations and push notifications to personal devices while customers walk around brick-and-mortar stores.

View report

De-identifying personal data in big datasets

Many companies including retailers analyze large volumes of data routinely (“big data”). De-identifying personal information in large datasets is often mentioned as a way to protect privacy. Also called anonymization, effective de-identification means rendering it impossible to identify an individual from the information a dataset contains about them.

However, in practice, rapidly evolving data analytics technologies make it challenging to have confidence that de-identifying any dataset can be permanently effective.

Canadian non-profit CANON is an international resource that covers the challenges posed by anonymization and lists domestic and international anonymization guidance.

View CANON resources

Big data in retail

How do AI and machine learning challenge traditional Canadian privacy frameworks?

Effective data governance reform is challenging in part because some of the technologies underlying the “data-driven” world handle personal information in paradigm-shifting new ways. In the case of AI and machine learning, this paradigm shift presents itself essentially for two reasons: (1) these programs can analyze much larger and more complex datasets, including unstructured data (e.g. audio, image, video and text; unstructured data comprises 80% of enterprise data), and (2) machine learning programs can teach themselves new insights and make decisions based on what they learn.

The ways these technologies can process an individual’s personal data challenge long-held privacy principles like transparency and purpose-based consent. They raise new possibilities and challenges for how data privacy frameworks can still implement those principles in ethical and economically viable ways.

As a result, legal and regulatory reform pertaining specifically to these technologies has been and continues to be under discussion in Canada and internationally. AI’s predictive capacities make it useful to retailers in many ways, e.g. to better manage inventory and supply chains.

View more info on AI and privacy

View March 2020 federal Privacy Commissioner AI consultation document.

View ISED PIPEDA White Paper containing discussion of AI and machine learning reform

View info on AI and inventory

Where can I learn more on public policy issues in Canadian data governance that affect the broader business community, not just retail?

The Business Council’s 2019 Data-Driven Issues Paper provides a thorough overview of the public policy issues facing Canadian data governance policy makers. It delves into privacy elements at issue in the PIPEDA reform and discusses other data governance areas that affect retailers, including cybersecurity, cross-border data flows and interoperability. Broadly, it puts public policy on data in context from a business standpoint.

View Issues Paper

Contact Kate Skipton, Senior Policy Analyst, at [email protected] for more information on:

  • Privacy and Data Committee for RCC members
  • To receive Retail Privacy and Data Bulletins
  • Consultation Submissions on transborder data flows (OPC), PIPEDA reform (ISED), AI regulation (OPC), Ontario Data Strategy (ON MGCS)

Be heard. Save money. Stay informed.

Become a member